Subject: Re: DOS attacks
To: Brook Milligan <brook@biology.nmsu.edu>
From: David Maxwell <david@fundy.ca>
List: netbsd-advocacy
Date: 02/10/2000 16:58:59
On Thu, Feb 10, 2000 at 12:54:49PM -0700, Brook Milligan wrote:
> Does anyone know how NetBSD fairs in handling denial of service
> attacks like are going on now with Yahoo!, etc.? Is there any way to
> up the profile of NetBSD by promoting an architectural feature that
> makes it easier to avoid such problems and gain a bit from the blast
> of recent publicity?
Although I have yet to see a proper technical analysis of the attacks that
have occurred, I believe the press is misleading people somewhat.
The attacks sound like brute force flooding, probably with forged source
addresses. If you have a T1, and I send you 100 T1s worth of data, there's
nothing your OS can do. You need to try to filter the false data further
back in the network, at your upstream ISP, or their upstream, etc. You need
to block the data at a point in the network where you have space to spare
in the pipe.
Current backbone routers aren't good at filtering large amounts of data,
or dynamically selecting data to filter. We'll probably start to see vendors
supply software to manage this, kind of like tracing a call in the phone
systems.
It would certainly help for starters if more network admins would filter
forged source packets on their network egress.
Sorry, drifted there.. anyway, it's an insfrastructure issue, not an OS
issue.
--
David Maxwell, david@vex.net|david@maxwell.net -->
If you don't spend energy getting what you want,
You'll have to spend it dealing with what you get.
- Unknown